You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nutch.apache.org by "Sebastian Nagel (JIRA)" <ji...@apache.org> on 2018/06/12 19:14:00 UTC

[jira] [Resolved] (NUTCH-2561) protocol-http can be made to read arbitrarily large HTTP responses

     [ https://issues.apache.org/jira/browse/NUTCH-2561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sebastian Nagel resolved NUTCH-2561.
------------------------------------
    Resolution: Fixed

Thanks, [~gbouchar], esp. for the idea for the unit test server.

> protocol-http can be made to read arbitrarily large HTTP responses
> ------------------------------------------------------------------
>
>                 Key: NUTCH-2561
>                 URL: https://issues.apache.org/jira/browse/NUTCH-2561
>             Project: Nutch
>          Issue Type: Sub-task
>    Affects Versions: 1.14
>            Reporter: Gerard Bouchar
>            Priority: Critical
>             Fix For: 1.15
>
>         Attachments: evilserver.py
>
>
> protocol-http limits the size of the HTTP response body. However
>  * There is no limit over the size of the HTTP headers it reads. A bogus server could send an infinite stream of different HTTP headers and cause the fetcher to go out of memory, or send the same HTTP header repeatedly and cause the fetcher to timeout.
>  * The same goes for the HTTP status line: no check is made concerning its size.
> This can be both a performance and a security problem.
> Joined is an example python implementation of a server that makes protocol-http receive huge amounts of data and use a lot of CPU (because of NUTCH-2563), without being stopped by http.getTimeout() nor http.getMaxContent().



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)